Date: Thu, 14 Jan 1999 15:37:09 +0100 From: Eivind Eklund <eivind@FreeBSD.ORG> To: Andrew McNaughton <andrew@squiz.co.nz> Cc: "Jan B. Koum " <jkb@best.com>, security@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <19990114153709.A88792@bitbox.follo.net> In-Reply-To: <Pine.BSF.4.05.9901142255490.329-100000@aniwa.sky>; from Andrew McNaughton on Thu, Jan 14, 1999 at 11:00:41PM %2B1300 References: <19990112042358.C303@best.com> <Pine.BSF.4.05.9901142255490.329-100000@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote: > > You would be much better off using passive ftp (ftp -p) then opening > > up all those holes into your network. > > I connect to specific hosts which disallow passive ftp, so I don't use > this approach. I'd be curious to know how common this is? If you need another secure approach, look at libalias. It contains my code for automatically creating tiny 'holes' in the firewall just allowing one specific connection through. Unfortunately, there are not any clients in FreeBSD that use that as of today, but you should be able to build it into natd and ppp fairly easily (it is only two function calls to enable it; one to set the rule number range in the firewall rules to use for creating 'holes', and one to enable the flag). I guess the code could be adapted to be usable in environments without NAT, but I haven't really looked into it. I don't really approve of using pure packet filters for a firewall. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990114153709.A88792>